Auth-Type :- Reject in users file matches inner tunnel request but sends Access-Accept

Alan DeKok aland at deployingradius.com
Tue Jun 12 23:08:54 CEST 2012 

Michael Gorven wrote:
> I have setup WPA2-EAP authentication using FreeRADIUS 2.1.8 on Ubuntu
> 10.04.4 with an OpenLDAP backend, and can successfully authenticate
> using PEAP/MSCHAPv2, TTLS/MSCHAPv2 and TTLS/PAP (both via the AP and
> using eapol_test). I am now trying to restrict access to specific SSIDs
> based on the LDAP groups which users belong to.

  Write down in plain English what you want to happen.  Not "I want to
restrict access", but "when X happens and Y happens, then do Z"

> From what I can gather, I need to add appropriate rules to
> /etc/freeradius/users which matches the SSID/group combinations, and
> rejects everything else. The problem I'm having is with the default
> reject, not the SSID/group matching.
> 
> My first attempt was this:
> 
> DEFAULT Ldap-Group == "employees"

  This says "match the LDAP group employees".

  Note it *doesn't* say do anything else.

> DEFAULT Auth-Type := Reject

  This says "always reject the user".

> But this immediately rejects the Access-Request in the outer tunnel,
> because the "anonymous" user is not in the "employees" group. I then
> modified it to this so that it only matches inner tunnel requests:
> 
> DEFAULT Ldap-Group == "employees"
> DEFAULT FreeRADIUS-Proxied-To == "127.0.0.1"
>         Auth-Type := Reject, Reply-Message = "User does not belong to
> any groups which may access this SSID."

  That is very wrong on many levels.  You've switched the "Auth-Type :=
Reject" from the first line to the second.  That WILL NOT WORK.

  This is documented.  Read "man users", and the comments in the default
"users" file.  There is extensive documentation on the format, and how
it works.

> The inner tunnel Access-Request is now sent and members of the
> "employees" group are accepted, but non-members are not actually
> rejected. I see the users entry being matched, and the Reply-Message is
> even set, but the server responds with Access-Accept and eapol_test
> reports SUCCESS.

  Because that's what you told it to do.

> Behaviour is the same with PEAP/MSCHAPv2 and TTLS/PAP. I tried setting
> copy_request_to_tunnel and use_tunneled_reply to yes in the PEAP and
> TTLS sections, but this didn't make a difference. How do I actually
> reject an inner tunnel request?

  Edit raddb/sites-available/inner-tunnel.  See "man unlang" for the format.

  Or, read "man users", and create a *good* entry in the "users" file:

DEFAULT Ldap-Group != "employees", FreeRADIUS-Proxied-To == "127.0.0.1",
Auth-Type := Reject
	Reply-Message = "User does not belong to any groups which may access
this SSID."


  Note that everything BUT the Reply-Message belongs on the first line
with the "DEFAULT".  The Reply-Message belongs on the second line.
Again, this is extensively documented.

  Alan DeKok.

More information about the Freeradius-Users mailing list